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\ Abstract 

I 1 . The interpretation of propositional dynamic logic (PDL) through Kripke models re- 

' quires the relations constituting the interpreting Kripke model to closely observe the 

O . syntax of the modal operators. This poses a significant challenge for an interpretation of 

PDL through stochastic Kripke models, because the programs' operations do not always 
have a natural counterpart in the set of stochastic relations. We use rewrite rules for 
£> ' building up an interpretation of PDL. It is shown that each program corresponds to an 

essentially unique irreducible tree, which in turn is assigned a predicate lifting, serving 
as the program's interpretation. The paper establishes and studies this interpretation. It 
£f*^ . discusses the expressivity of probabilistic models for PDL and relates properties like logi- 

cal and behavioral equivalence or bisimilarity to the corresponding properties of a Kripke 
model for a closely related non-dynamic logic of the Hennessy-Milner type. 



o 



1 Introduction 



■ i 

^ ■ The interpretation of propositional dynamic logic (PDL) through Kripke models requires, 



as is customary in modal logics, the relations in the interpreting Kripke model to closely 
observe the syntactic properties of the modal operators [H Section 2.4]. For example, the 
nondeterministic choice ir U tt' of programs n and n' is usually interpreted through relation 
R n u w i which satisfies R^utt' = R-k U R n i , and the relation for the indefinite iteration it* should 
satisfy R n * = R*. 

This poses a significant challenge for an interpretation of PDL through stochastic Kripke 
models, because the programs' operations do not always have a natural counterpart in the 
set of stochastic relations. Clearly, operations like U K w > or K* hardly make sense for 
transition probabilities K n and K n i. In addition, an interpretation of PDL observes usually 
some tacit assumptions on the "static" semantics like 7Ti; (tt2 U ^3) = tt\ ; tt2 U tt\ ; 113 . 
We convert these implicit assumptions into rewrite rules. This permits building up an inter- 
pretation of PDL through terms in an algebra. Because we have to cater for the indefinite 
iteration of a program, the algebra admits an operator of infinite arity. It is shown that each 
program corresponds to an essentially unique irreducible tree, which in turn is assigned a 
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natural transformation, serving as the programm's interpretation. Some technical problems 
have to be overcome due to the observation that the interpretation of the indefinite iteration 
— the counterpart of the while-loop — requires a base space which is closed under the well- 
known Souslin operation from set theory. This is in particular inconvenient when the state 
space is assumed to be Polish: these spaces are closed under this operation only if they are 
finite. Hence previous results on the stochastic coalgebraic interpretation of modal logics are 
difficult to apply. 

The paper discusses the expressivity of these models and relates properties like logical and 
behavioral equivalence or bisimilarity to the corresponding properties of a Kripke model for 
a closely related non-dynamic logic of the Hennessy-Milner type. 

We will in Section [2] have a look at term rewriting for programs, producing an irreducible 
tree from a program. This tree is well-founded, hence has no infinitely long paths, but it 
may have nodes with an infinite fan-out; these are exactly the nodes which correspond to the 
while-loop. We are able to produce an interpretation from an irreducible tree, provided we 
can interpret primitive programs, and we know how to handle the choice and the iteration 
operator. These operators are given through natural transformations for the Borel functor. 
We study these transformations in Section [3] together with some properties of the underlying 
measurable spaces; this is becomes necessary because the presence of the iteration operator 
complicates the measurable structure of the validity sets, as shown in [Sj. Sections H] and [5] 
deal with models and interpretations: we first define the usual Kripke models and extend 
them to incorporate natural transformations. They will then help to define the semantics 
of PDL formulas. On the other hand, a simple modal logic of the Hennessy-Milner type is 
defined, the modal operators being given through the primitive programs. These logics are 
compared and help to give some insight into the question of expressivity; again, we have to be 
a bit careful because the case Bisimilarity Vs. Behavioral Equivalence makes some topological 
assumptions mandatory for a successful discussion. This requires extending the notion of a 
model in Section [6] for capturing fully the development discussed to far. A satisfactory answer 
on the equivalence of all three variants of expressivity can be given under the assumption 
that the respective sets of atomic expressions and of primitive programs both are countable. 
Finally, Section [7] wraps it all up and suggests further work. 

2 Programs 

The modalities for PDL are given through a simple grammar which is intended to model 
programs. When interpreting the logic through a Kripke model, the problem arises that 
not each modal operator has a relation associated with it. Associating a relation with each 
primitive program and working in a monad permits interpreting the composition of primitive 
programs through Kleisli composition, but there is no provision for interpreting operators 
like the nondeterministic choice or the indefinite iteration. These interpretations have to be 
constructed explicitly. In order to be able to do this, we study the set of all programs first, 
introducing rewrite rules and equations for reducing programs to a simpler, more manageable 
form. 

The grammar for programs over the set IA of primitive programs is given by 

TV : : = Q | TV i U 7T2 | TV\ \ TV2 \ TV* 

with g We assume that the empty program e is a member of IA. The set V(U) of programs 
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over U is perceived as the term algebra over the constants U with the unary operation •* and 
the binary operations {; , U}. Program tt\ U tt 2 is the nondeterministic choice of programs tt\ 
and tt 2 , 7Ti;7T2 is sequential composition, and tt* is indefinite iteration: executing tt* entails 
executing tt k times with k > 0. 

We assume that we have an operation V of infinite arity. Denote the term algebra for the 
operators {; , U, *, V} over U by £(U). The free semigroup over U with respect to sequential 
program composition (the basic blocks of compiler construction) is denoted by tt(U). 
Each program tt is given an ordinal number w(ir) as its weight. It is defined recursively 
through 

1, if 7r = e, 

2, if7r€^\{e}, 

w{tT\) ■ w(tT 2 ), if 7T = 7Ti;7T2, 

w(lT\) + w{tTi) + 1, if 7T = 7Ti U 7T2, 

k Sup fceN iu(7rf), if TT = 7T^. 

Here ir k is defined as the fc-fold iteration of tt, thus 



w(tt) 



TT 



e if k = 0, 

TT^-TT otherwise. 



Form the definition it is clear that w(tt) < oo iff tt does not contain any iteration, i.e., a 
subexpression of the form tt\. 

The static semantics of program composition is usually given through informal rules: execut- 
ing 7Ti; {tt2 U its), i.e., executing first tt\ and then choosing between tt 2 and tt% should be the 
same as choosing between tt\ ; tt 2 and tt\ ; ttj, , or executing tt\ ; tt\ ; 7r3 should give the choice of 
executing tt\;itz (i.e., not executing tt 2 at all), and 7Ti ; tt 2 ; 7r| ; tt^ (i.e., executing 7T2 at least 
once in the context of tt\ and ^3). It helps for a coalgebraic interpretation to have a formal 
specification of these rules. We propose to use rewrite rules for this, augmented by equations 
which state properties like associativity). 

We introduce these rewrite rules (in order to avoid parentheses, we assume that operator ; 
binds tighter than the operator U): 

(di) x;(yUz) ->• x;yUx;z 

(d r ) (xUy);z — > x;zUy;z 

(d e ) x* — > e;x*;e 

(d*) x;y*;z -> x;y U x;y;y*; z 
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These are the equations: 



(id A 


6] X 


S3 X 


(id r ) 


x; e 


S3 X 


(ass s ) 


x; (y;z) 


w (x;y);z 


(ass u ) 


x U (y U z) 


S3 (x U y) U z 


(comm) 


xUy 


ss y U x 


(idm) 


x U x 




(disoo) 


\J(x k \k>0) 


S3 x U \J{x k+1 \k > 0) 


{transp) 


V<V^Ml fc >0)K>0> 


~ V<V( x Ml^>0)|fc>0> 



The first group of equations states that e plays the role of the program skip, and that choice 
as well as sequential composition are associative; choice is commutative as well. The last 
group deal with the operator V which is assumed to be the implementation of the indefinite 
iteration. Equation (disoo) is akin to an infinite associative law: considering an infinite choice 
of programs is the same as considering the choice between the first one and the rest. Equation 
(transp) says that tt^;^ can be interpreted as either 7Ti terminating after a finite number of 
steps followed by tt^ or as 7r| followed by a finite number of executions of TT2- 
The set X of variables is assumed to be a countable set. As usual, a substitution a is a map 
from X to V{U) which is extended accordingly. 

Following [3j, a term a € £{U) is perceived as an ordered tree, each node in which has 
address a in the Dewey notation (the node with address a = 0.1.3 is reached through taking 
the leftmost son of the root, then its second son and finally the fourth offspring); the subtree 
of a rooted at the node which has the address a is denoted by a\ a . Denote by a [7)3 denotes 
the tree in which the subtree of a which is rooted at a is replaced by the tree associated with 
term 7. 

We say that a => (3 iff there exists a rule I — )■ r, a position a and a substitution a such that 
ct\ a = c(0 and a[<7(r)] a = (3. The reflexive-transitive closure of =>• is denoted as usual by =>■*. 
Call a € S(U) irreducible iff there is no j3 G £ (U) with a =^>* (3 and j3 7^ a. 
Denote by = the congruence defined by S3 u => on £ (U), thus = is the smallest equivalence 
relation on £{U) which is compatible with the operations {;,U,*,\/} on £{U) and which 
contains the relation ~ u =>. The canonical projection which assigns a € £{U) its class [a] = 
is denoted by r/= : £(U) -» £(U)/=. 

The following statement shows that rewriting a program with finite weight always terminates. 
It does not give, however, a unique result, the result is rather determined uniquely up to = 
(which is not surprising given, e.g., associativity, commutativity and idempotence of the 
nondeterministic choice) . 

Lemma 2.1 Let ir £ V(U) be a program with w(tt) < 00. Then there exists F C Q(U) finite 
with ir = {jF.IfTr = [jF'for some finite F 1 C U(U), then n= [F] = n= [F'\ . 

Proof Note that w(tti;(-K2 U ^3)) > w(iti;tt2 U7ri;7r3), (see [3J p. 270]), similarly for rule 
(d r ). Because w(7r) < 00, any application of the rewrite rules (di) and (d r ) terminates. Thus 
7r = |J F for some F C Q.(JA) finite. Uniqueness up to = is established by induction on the 
structure of ir. H 

These are some properties of irreducible elements of £{U). 
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Lemma 2.2 Denote by X{U) the set of irreducible elements in £{U). 

a) X(U) is closed under the operators U and \J . 

b) If Pi, fa G Z(U), there exists fa G X{U) such that fa; /3 2 = fa. 

c) If tt G V(U) with w(tt) < oo, then tt is irreducible iff there exists F C Q(IA) with tt ^ = 3 ^ 
[JF, ^ = 3 denoting equality modulo associativity of operator ;. 

Proof 1. It is clear that X(U) is closed under U because there is no rewrite rule which has 
U as its main operator on its left hand side. It is also clear that X(JA) is closed under the 
infinite operator \J , because each transformation of such a term is pushed into its components. 
Each element of £l(U) is irreducible, so is their finite union. From this follows the claim for 
programs of finite rank. 

2. Note that the syntax tree associated with an element of £ {IA) is well formed, since it does 
not have paths of infinite length. An easy induction on the tree for (3 G X(JA) shows that if 
gen(U), then there exists fa G X(U) with g;(3 = fa. 

In fact, if [3 = tt G ViU) with w(tt) < oo, or if ft = fa U fa with irreducible fa, fa, the claim 
follows easily. If we can write /3 = fa; fa then irreducibility of f3 implies irreducibility of g; fa 
Finally, assume that (3 = \/(fa\k > 0), then all fa are irreducible, and g;f3 = V '(g; fa\k > 0). 
For g; fa we find fa k with g; fa = fa^ by induction hypothesis, so that f3 = fa := \/(fa k \k > 0) 
with fa G X{U). 

3. We show now that fa, fa £ 1(H) implies the existence of fa G X{U) with fa; fa = fa 
by induction on the syntax tree for fa. If this tree is finite, then parts 1. and 2. show 
that fa; fa = \J S £pg',fa = UggF fa with fa € X(JA) for some finite F C QiJA). Assume 
fa = \J (fa,k\k ^ 0)- By the induction hypothesis we know that for each k there exists 
fa k G X{U) such that fay, fa = fa k , so that fa; fa = \/ {fi k \k > 0), the latter being irreducible. 
If the tree for fa is infinite and has the operator ; as its root, say fa = fa a ; fab, then 
at least one of the trees for fa^ a or faf, is infinite. Assume without loss of generality that 
fa.a = V ' (fa,a,k\k > 0), then fa = \J (fa, a ,k', fa,b\k > 0). Consequently, the induction hypothesis 
may be applied through the same argumentation as above. H 

This has as an immediate consequence that each program is equivalent to an irreducible one 
(which may have infinite branches). 

Corollary 2.3 Given a program it G V{U), there exists (3 G X(JA) such that it = fa 

Proof The proof proceeds by induction on w(tt). If w(ir) < oo, the assertion follows from 
Lemma 12.21 part [cl Now let tt with w(tt) = oo be given, and assume that the assertion is 
established for all programs tt' with w(ir') < w(tt). If tt = tt\ U tti or tt = tt*, the assertion 
follows from the induction hypothesis together with part [a] in Lemma 12.21 If, however, tt = 
tt\;tt2, we apply the induction hypothesis to tt\ and tt 2 , the assertion then follows from part [b] 
in Lemma 12.21 H 

Because = is a congruence, these operations on £(U)/= are well defined: 

[7Ti]= U [tt 2 }= := [tt\ U 7T 2 ]= , 

LK^li^ > °> : = [V^i* - °) = 

Define the map : ViU) — > £{U)/= inductively on the weight of program tt as follows. 
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a) If w(tt) < oo, put 

:=|_|{[eLI<?GF} 

with 7r = |J F and F C fi(W) according to Lemma 12. 11 

b) Proceeding inductively, assume that 8(711) and 8(7r 2 ) are defined, then put 

9(vri Uvr 2 ) := Q(m) U e(vr 2 ). 

c) Continuing with an inductive definition, assume that ir = iri;iT2 with w(tt) not finite. We 
distinguish there cases 

(i) w(tti) is finite. Since w(iri; 7^) is not finite, we can represent ^(7:2) through mo + k, 
where mo is a limit ordinal and k is finite. Thus 1x2 = ^2,a U it2,b with w{ir2,a) = nio 
and w{it2,b) = k. Then ir2, a = ^'i^2,a with 10(71") finite and 7T2,a = 7r2 C . This is so 
since £ ■ m = m for any finite i and any limit ordinal m. Thus 

7T = 7Ti; (vr;vr2 iC U 7r 2i fe) 
= (7ri;7r);7r2 )C U7ri;7r 2j 5. 

Because both u;(7ri;7r) and w{ r K\\ r K2,b) are finite, and since w{ii2 C ) < w(tt2 C ), is 
defined for these arguments, and we put 

0(tt) := □(e(7r 1 ;7r;7r 2 fc c )|A ; > 0) U 8(7^2,6). 

(ii) w{'K2) is finite. We find F C fi(ZY) finite with ir = \J{tti; q \ Q G i 7 }. Similar to the 
case above we represent tti = 7To; tt* a U7Ti i f ) with both 10(710) and 10(711^) finite. Hence 
^0 = \J{q' I d G G} for some finite G C Q(U). Then define 

( 7r ) : = U \J^'^ia,e)\k>0)UQ(7T hb ;7T2). 

(iii) Both w(tti) and 10(7^) are not finite. Represent 

TTl = TTl.a; 7T*,6 U 7Tl,c, 
7T2 = VT2 ia ; TT^ U 7T2 iC 

with w(Tri ta ),w(iri tC ),w(ir2,a),w('^2,c) finite. Apply the rules (di) and (d r ) to obtain 

7Ti; 7r 2 = 7Ti )0 ; 7r* ib ; 7T2 ia ; 7r| )6 U 7ri )C ; 7r 2ia ; 7T2 jfe U 7ri !a ; 7r* )6 ; 7r 2iC U 7Tl )C ; 7r 2iC . 

Because we may represent Tt\ A = \J{q \ Q G F} and 7T2 ia = \J{d I d G f° r some 
finite F, F' C 0(ZY), we may and do assume that 7ri ia ,7T2 ia G Cl(U). Put 

8(7r l!a ;7ri )6 ;7r 2 , a ;7r2 )6 ) := |_J |_J 8(7ri ja ; 7r* 6 ; 7r 2ia ; tt^) 

k>oe>o 

( = U U e K^f,^2,a;4k)) 

£>0k>0 

Because max{w(7ri jC ; 7r 2ia ; n£ )b ), w(ni, a ] n* >b ; 7r 2)C ), w(7Ti jC ; 7r 2iC )} < iu(7r), we may now 
define 

8(7r) := 0(7Ti )O ; 7r* i6 ; 7r 2ja ; 7r 2 fe ) U 8(7Ti )C ; 7r 2ia ; n^) □ 0(7Ti ja ; 7r* i6 ; 7r 2iC ) U 0(7r 1;C ; 7r 2 , c ). 
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The construction shows that it = (3 for /3 G 1{U) entails /3 G 8(71"), thus we obtain from 
Corollary E3] 

Proposition 2.4 6 : V(U) -> £{U)/= is well defined. H 

Summarizing, we construct for a program it G T^ZY) an equivalence class which contains an 
irreducible element of £{U). Such an irreducible program is composed of the choice operator 
and the explicit form of the indefinite iteration. The primitive programs appear only in the 
form of basic blocks Qi;. . .]Qk with Qi,. ■ ■ , Qk G 

Consequently, an interpretation of a logic carrying programs for modalities will have to cater 
for the respective interpretation of the choice operator, the explicit form of the indefinite 
iteration, and the basic blocks. The latter ones can be composed from the interpretation 
of the primitive programs for example in those cases that are given by a monad, where 
composition of programs may be modelled through Kleisli composition |15j . 
Instead of providing after the preparations above a general coalgebraic interpretation through 
a monad over the category of sets now, we propose an interpretation through stochastic 
relations (which offers its own idiosyncrasies in turn). 

3 Transformations 

We collect for the reader's convenience some techniques and tools from set theory and prob- 
ability, in particular techniques for working with c-algebras and their completion. 

3.1 Measurability 

A measurable space S is a set, again denoted by S, together with a Boolean u-algebra B(S), 
thus B(S) is an algebra of sets which is also closed under countable unions. Denote for a set 
A of subsets of a set S by a (A) the smallest <r-algebra containing A. 

A map / : S — > T is called B{S)-B{T) -measurable (or just measurable, if the context is clear) 
iff the inverse image of each Borel set in T is a Borel set in S, or, formally, iff 

/- 1 [B{T)\ := {r 1 [C] I C G B(T)} C B(S). 

If B{T) = a(A), then / : S ->■ T is measurable iff f- 1 [A] G B(S) for all A £ A. 
The real numbers always carry the Borel sets £?(]R) as a u-algebra, where 

B(K) := a{{G C R | G open}) = a({}a, b[\ a, b G R, a < b}). 

Let & (S) be the set of all subprobabilities on measurable space S, then B(& (S)) will be 
the weak-*-<r-algebra, i.e., the smallest a-algebra on (3 (S) which makes all the evaluations 
evA ■ H l— > n(A) Borel-measurable. Then 

5(6 (S)) = a({b q , A I q G Dtato,i, A G B(S)}) 

with 

Ka ■= evj 1 [} - 00, q[) = {n G 6 (S) \ n(A) < q}. 

A stochastic relation K : S T between the measurable spaces S and T is a Borel measurable 
map from S to & (T); sometimes stochastic relations are called transition subprobabilities. 



September 19, 2011 



Page 8 



Coalgebraic Interpretation of PDL 



Thus K : S T is a stochastic relation iff K(s) is a subprobability on the measurable space 
T for each s € S such that s h-> K(s)(B) is a 0(5')-measurable function for each S € B(T). 
Denote by M the category of measurable spaces with measurable maps as morphisms, and by 
N the category of all u-algebras with maps. The Borel functor !B : M — > N assigns to each 
measurable space its Borel sets, and to a morphism / : S — > T its inverse image / _1 : B(T) — > 
B{S). Thus OS is a contravariant functor. This has been discussed extensively in [101 [7]. 
Given a morphism / : S — > T in category M, we obtain a morphism 6 (/) : & (S) — > 6 (T) 
in M upon defining 

&{f)^){B):=^[B\) 
for /x G 6 (5) and £ G £>(T). 6 (/) is B(6 («S))-S(6 (T))-measurable because 

©(/r 1 [B,, B ] = f> 9i/ -i [fl] 

holds for each real q and each measurable set B G B{T). Functor 6 is the functorial part of 
a monad which is sometimes called the Giry monad \12\ [51 [6] . 

Let K : S S" and L : T T be stochastic relations for the measurable spaces 5" and T, 
then a measurable map / : S — > T is called a morphism K^LiSLof = <3 (/) o if holds, 
rendering the diagram 

/ 



K 



L 



6(5) »-e(T) 

v ; 6(/) v ) 

commutative. Expanded, this means that 

L(f(s))(B) = K(s)(f- 1 [B]) 

holds for each state s G S and each measurable set B G B(T). 

We will need this technical statement for transformations when considering runs of primitive 
programs below. 

Lemma 3.1 Let S and T be measurable spaces, f : S —■ T be a measurable map. Assume 
that g : T — > R is measurable and bounded. 

a. For any /iG 6 (5) 



g(y)6(f)(v,)(dy)= (gof)(x) n{dx). 

T JS 

b. If f : K — >■ L is a morphism for the stochastic relations K : S S and L :T T , then 



g{y) L{f{s)){dy) = / (g o f)(x) K{s){dx). 

T JS 

Proof The formula in part HJ is the classical Change of Variables Formula, see [7], Lemma 
1.6.20]. Part|bl is an immediate consequence: because L(/(s)) = & (/) (K(s)), we may write 

g(y) L(f(s))(dy) = [ g(y) (6 (/) (K(s)))(dy) = [ g(f(x)) K(s)(dx), 

the last equation being due to part [|J H 
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3.2 The Souslin Operation 

When interpreting the indefinite iteration tt* of program it, we will be faced with the prob- 
lem that validity sets for formulas formed using ir* will be using uncountable unions. Thus 
these validity sets may not be measurable, because measurability always assumes countable 
operations. There is, however, a broad class of measurable spaces which permit uncountable 
operations in restricted form; by a completion operation, each measurable space can be em- 
bedded into such a space. This restricted form is described by the Souslin operation, which 
will be introduced now. 

A measurable space S is closed under the Souslin operation iff, whenever {A v \ v G fi(No)} C 
B(S) is a family of measurable sets indexed by finite sequences of natural numbers, we have 

|J f]A a]n eB(S), 

where a\n are the first n elements of sequence a. This is sometimes called operation A on 
the Souslin scheme {A v \ v 6 fi(No)} [Ml XI.5]. 

Define for the measurable space S and a subprobability /i£ 6 (S) its fi- completion through 

A G O 3A , A 1 G B(S) : A C A C A 1 and fi(A 1 \ A ) = 0. 

slin Thus all sets which differ from a Borel set by a set on ^-measure are added to the Borel 
sets; the underlying set remains unchanged. Then B(S^) is a cr-algebra again. If M C 6 (S) 
is a non-empty set of subprobabilities on S, put 

B(S M ) := p| B(S"). 

Definition 3.2 S A:f is called the M-completion of S, S e ( s ' is called the universal completion 
of S and is denoted by S . 

The important property reads 

Proposition 3.3 The measurable space S M is closed under the Souslin operation for every 
|/¥C6(S). 

Proof [201 Theorem 3.5.22]. H 

Measurability of maps carries over to the completion. 

Lemma 3.4 Given measurable spaces S and T, and assume that f : S — >• T is B(S)-B(T)- 
measurable. 

a. Let_M C 6(5),iV C 6(T) such that 6 (/) (p) G 2V /or aZZ p G M. Tften / is B{S M )- 
B(T N ) -measurable. 

b. f is B(S)-B(T) -measurable. 
Proof [91 Proposition 4.3]. H 

We note for later use that a stochastic relation can be extended to the completion of a 
measurable space as well, provided the measurable space is separable. This means that the 
Borel sets are countably generated, formally: 
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Definition 3.5 S is called separable iff there exists a countable family Aq of subsets of S 
such that B(S) = a(Ao). 

For example, M. is separable, so is every measurable space that has as Borel sets the cr-algebra 
generated by the open sets of a topological space with a countable base. Polish spaces are 
important special case: call a second countable topological space Polish iff the topology can 
be metrized with a complete metric. The Borel sets of a Polish space are countably generated, 
so that a measurable space generated from a Polish space is separable; the natural topology 
on the reals is Polish. A measurable space generated from a Polish space is called a Standard 
Borel space (hence discussing a Standard Borel space, we are not interested in its topological 
but rather in its measurable structure). 

The following proposition shows why separable measurable spaces are of interest to us. We 
will use it later for completing models (but maintaining expressivity). 

Proposition 3.6 Let S be a separable measurable space, K : S S be a stochastic relation 
on S. Then there exists a unique stochastic relation K : B{S) B{S) extending K . Let L 
be another stochastic relation defined over a separable measurable space. If f : K — > L is a 
morphism, then f : K — >■ L is a morphism. 

Proof [9, Proposition 7.10, Corollary 7.6] H 
3.3 Natural Transformation 

The category of all measurable spaces which are closed under the Souslin operation is denoted 
by V, the restriction of functor OS to V is again denoted by 03. 

Denote by S the category of stochastic relations; it has pairs (S, R) as objects and the mor- 
phisms defined above as morphisms. Define functor 03 1 on S through functor 03 by defining 
OS 1 " := 03 o it with it : S — s- M as the forgetful functor; hence 23+ (S, R) =03(5), and 03+ acts 
on morphisms accordingly. "Daggering" a functor will compose it with the forgetful functor 
il. 

The constant functor assigning each measurable space the rationals between and 1 is also 
denoted by SHato,i- Let N R be the category which has all maps SHato,i — > B(S) for a measurable 
space S as objects, a morphism F : (9tato,i —> B(S)) — > (9tato,i — > B(T)) is induced by a 
map F : B(S) -> B(T) so that ^(j)(q) = F(j(q)) for the object 7 : 9tarfo,i -> B(S) and 
q £ 9^oto,i holds. Denote by 03 R the functor M — > N fi which maps the measurable space S 

to {7 I 7 : Oloto,! — > B(S) is a map}, and f : S —> T measurable is mapped to / , thus 53^ 
is contravariant. 

Assume that r : Olatci x 03 A 23 is a natural transformation, thus ts(-,A) : q i-> rs(q,A) E 
B(S) is an object on N R for each measurable space S and for each A € B(S). 

Lemma 3.7 Put 

¥l(A) :=T S (;A) 

for a natural transformation r : 0^oto 5 i x 03 A 03 and A E B(S), then r : 03 A 03^ is a 
natural transformation. 
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Proof In fact, if / : S — > T is a measurable map, then we have for the measurable set 
A G B(S) and q G «Kato,i 

^(S(/)(^))(g)=r 5 (g,r 1 [^]) 

= (r s o (JRato,i x »)(/))(?, A) 
= ®(/)(tt((z,A)) 

= 05*(/)(^))(«)- 

H 

Corollary 3.8 "7* : *8+ A 05 K is a natural transformation, provided r : £Hato,i x 05 ^ A 05 is 
natural. H 

As an illustration, each stochastic relation induces a natural transformation Otato,! x 05 1 A 05 
via the evaluation map. 

Lemma 3.9 Let K : S ~^ S be a stochastic relation. Then 

w K (q)(A) :={seS\ K(s)(A) < q} 
defines a natural transformation w : fHatJ 1 x 05 ^ A 05^. 

Proof Because wk{q){A) = K~ l [b qj A] , and since K is a measurable map, we infer wk{q){A) G 
B(S), whenever K : S S. Now let / : K —> L be a morphism, and take (g, B) G 
9tato,i x B(T), then 

(»(/) o wl) (g, B) = J" 1 [{* G T | L(t)(fl) < g}] 
= {sGS\K(s)(f- 1 [B])<q} 
= (w K omato,! X&(f))(q,B). 

H 

Another consequence is interesting for us as well. 

Corollary 3.10 Assume that <& : (*B R ) T A 05 R is a natural transformation with I = {1, . . . , n} 

for n G N or I = N and i/iai ^ : 9tato,i x 05 A 05 for i G I. Then <£>(( Y> j)j 6 j) defines a 
natural transformation <& : fHat ,i x 05 A 05 with 3> s{o){A) = ^((ip^si; A)) ie i)(q). H 

To illustrate, define for rational q > the sets 

Q(")(g) : = { a G ^at^ | oi + • • • + a n < g} 
Q(°°)(g) := {(a n )„ 6N G Otat^ | a + «2 ■ ■ ■ < q} 

Example 3.11 Let (771, 772) G 05 ii (S') x 05 R (5) for a measurable space S, and define for 
9 G *Rato,i 

^sfai^X?) := (J ("1,5(01) n 7/2,5(02)) 

(ai,a 2 )eQ< 2 )(g) 

Then $ : 05^ x 05^ A 05^ is a natural transformation. 
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In fact, because 771(0,1), 772(02) G B(S) f° r ( a l> a 2) G <3 (<?)> an d because Q^(<7) is countable, 
we infer that $5(771, 772) G 55^(5'). Now let / : 5 — > T be a measurable map, then this diagram 
commutes: 



(<3 R x 23 R ) (T) 



23 (T) 



S 



(33* x 23 i? )(S) 
This is so since we have for (771,772) G (33* x 33*) (T) 



23*(S) 



^5(23 fi (/)(77 1 ),23 i? (/)(772))(g) = J^ 1 [771(01)] n /- 1 [772(02)]) 

a 

= r 1 [{J(m(ai)n m (a 2 ))] 

a 

= <B R (f){$ T ( m , m )) 







The next example requires that the base spaces are closed under the Souslin operation. 
Example 3.12 Let rj := (77)^0 G 33*(S') No , and define 

*s(ri)(q) ■■= u { n I G Q (00) (9)} 

neNo 

for g G SRoto,i. Then $ : (23*)^° A 23*, when functor 23 is restricted to category V. 

We show first that ^s(v)(q) £ B(S) whenever S is closed under the Souslin operation. For 

this, we construct for q > rational a bijection £ : Nq — )■ Q^°°\q) such that z/|n = z/'|n implies 

£(i/)|n = £(i/)|n for all u, u' G Ng and all n G N, see (9j Lemma 4.6]. We infer in particular 

that v\n = v'\n implies £(v) n = £,{y') n for all n G N. Now put C„i n := 77„(£(i^) n ) G B(S), 

then 

*sfa)(<?) = U D 

Since S is closed under the Souslin operation, the assertion on measurability follows. Natu- 
ralness is then shown exactly as in Example 13. Hi {> 



4 Interpretations 

We now turn to interpretations for PDL — although we did not define PDL yet, but never 
mind. A Kripke model will be employed for interpreting each simple program, similarly, an 
interpretation for primitive statements will be provided. We will build up from these data 
an interpretation for modal formulas in which the modalities are given through programs. 
This will be done through the Kleisli composition for the underlying monad, yielding an 
interpretation of basic blocks, i.e., of runs of simple programs, and through the natural 
transformations which will be associated with composing programs through nondeterministic 
choice and indefinite iteration. It will be convenient separating these notions, so we will 
first define what a Kripke model is, and then define models by adding these transformations. 
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Morphisms will be important as well. They are denned for Kripke models, and, since the 
transformations for the complex program operations are natural, they carry over in a most 
natural fashion to models. 



4.1 Kripke Models 

A stochastic Kripke model & = (S, (K g ) ge u, V) is a measurable space S together with a family 
(K g ) je ii of stochastic relations K 1 : S ~» S such that 

• K e = l s , 

• V : V — > B(S) is a map. 

Here I5 : S ~^ S is the identity relation 

'1, Use A 



l s (s)(A) := 



0, otherwise. 



The set V(p) gives for the atomic proposition p <G V the set of all states in which p is assumed 
to hold. 

Given a primitive program g € U, the stochastic relation K g governs the transition upon 
executing g: the probability that after executing program 7 in state s € S we are in a state 
which is an element of A € B(S) is given by K^(s)(A). Note that K y (s)(S) < 1 is not 
excluded, accounting for nonterminating programs. 

A morphism of Kripke models is compatible with the transition structure for each simple 
program, and it respects the interpretation for primitive statements, formally: 

Definition 4.1 Given Kripke models & = (S, (K g ) ge u, V) and £ = (T, (L g ) g <=u, W), a mea- 
surable map f : S — > T is a morphism ^ — > £ for the Kleisli models iff 

1. f : K g — > L g is a morphism of stochastic relations for each g EU, 

2. f^ 1 [W(p)] = V(p) for each atomic proposition p € V . 

Thus for morphism / : ^ — > £ an atomic proposition p holds in state s iff it holds in f(s), 
and the probability of hitting a state inBG B(T) after executing program g in state f(s) is 
the same as the probability of hitting a state in / _1 [B] after executing g in state s. 
We will need later that Kripke models are closed under coproducts, hence we state as an 
example the corresponding construction. 

Example 4.2 Given Kripke models J? = (S, (K g ) ge u, V) and £ = (T, (L g ) ge u, W), define 
the sum A © £ of ^ and £ as the Kripke model 

8. © £ := (S + T, {(K + L) g ) geU , V + W). 

Here the measurable space S + T carries the final u-algebra with respect to the embeddings 
i s and i T , and (K + L) g : (S + T) ~> (S + T) is defined through 



(K + L) g (z)(A) := 



i^s)^ 1 ^]) if * = i s ( S ), 
^(tXv 1 [A]) if z = i T (t). 



Then £ £ © £ £ are morphisms. It is easy to see that R © £ together with the 
embeddings is the coproduct. <0 
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Given a Kripke model K = (S, (K g ) g ^K,V), extend the transition laws from primitive pro- 
grams to basic blocks, i.e., sequences of primitive programs upon setting 

K ei ,., Qn := K Ql * . . . *K Qn , (1) 

where for Ki : S S (i = 1, 2) the Kleisli composition K X *K 2 of K x and K 2 is defined 
through 

(K x *K 2 )(s)(A) := [ K 2 (t)(A) K x (s)(dt) 
Js 

(s € S,A £ B(S)), see |12j ; this operation is known as the convolution of two transition 
kernels in probability theory. Interpreting equation ([I]) for two programs Qi, Q2 £ U, we see 
that after executing q\ in state s the system goes into some intermediate state t £ S from 
which program Q2 continues, giving the probability of ending up in a state in Borel set A 
as -Kp 2 (i) (^4) . The intermediate states are averaged over through K si (s), accounting for the 
probability 

/ K e2 (t){A) K gi (s)(dt), 
Js 

which is just (K gi *K Q2 } (s)(A). 
Notice that 

K t *K e = K e = K e *K € 

for all q € U. Because stochastic relations are Kleisli morphisms for a monad, hence mor- 
phisms in a category, it follows that Kleisli composition is associative, thus we record for later 
use that 

{Ki*K 2 )*K 3 = ^!*(K 2 *^ 3 ) (2) 
holds (which we have already silently made use of in equation ([1])). 

This extension from IA to Q(U) through Kleisli composition is compatible with morphisms. 

Lemma 4.3 Let f : K\ — > L\ and f : K 2 — > L 2 be morphisms of stochastic relations for 
Ki : S ~» S and Li : T ~^ T (i = 1,2). Then f : K\*K 2 — > L\*L 2 is a morphism. 

Proof This follows from Lemma 13.11 

{L l *L 2 ){f{s)){B)= [ L 2 (y)(B) Ia(f(8))(dy) 
Jt 

= f T L 2 (y){B) (6 (/)(JTi (*)))(dy) 

= / L 2 (f{x)){B) K x {s){dx) 

= [ K 2 {x){f- X [B]) K^dx) 
Js 

= {K 2 *K x ){s)U- X [B]) 

= (6(f)o(K x *K 2 ))(s)(B). 

H 

Applying this to morphisms for stochastic Kripke models yields 
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Corollary 4.4 Let 8. and £ be Kripke models, and assume that f : & — > £ is a morphism. 
Then 

is a morphism for stochastic relations for all q\ \ . . . ; g n G H 

Let K = K(£/, T 5 ) be the category of Kripke models with universally measurable state spaces; 
it has the morphisms according to the definition above. Hence the state space of an object in K 
is a measurable space which is closed under universal completion according to Definition 13.21 
We define the functor 9\ : K — > N from Kripke models to Borel sets of measurable spaces 
by adapting the Borel functor to K: each Kripke model ^ = [S, (K g ) g€ u,V) is mapped to 
53(5). By the choice of the base category of universally measurable spaces we make sure that 
is always closed under the Souslin operation. A morphism / : & — >• £ is mapped by 9\ 
to f- 1 : B(T) -> B(S). 

Assume furthermore that we are given natural transformations <1> : 9\ R x VK R A 91^ and 
$ : (91^)^ A We associate with each basic block g±; . . . ; g n a natural transformation 
r(f?i; • • • ; Qn) '■ 9tato,l x 9a A 9^ upon setting 

T(g 1 ;...;g n ) :=-nj Kgv . gn . (3) 

Assume that we have defined natural transformations r (/3i),r(/?2) for the irreducible pro- 
grams Pi, 02 £ i then 

r(&u&):=$(i^,f(&$) (4) 

defines a natural transformation T(fii U /3 2 ) : 9a"ato,i x 91 A 9a\ If r(/3 n ) : 9aat 0i i x 9^ A 91 is 
defined for f3 n G I(U), define 

; > 

r(V/(^n|n G No)) := *((r(/? n ))„ eNo ). (5) 

Then r(V(/?n|n G N » : £Rato,i xSRASH. 
Summarizing, we note for the record 

Proposition 4.5 Given the transformations <1> and \E r as above, T(/3) : 9^ato,i x 9^ A 91 is a 

natural transformation, whenever (3 is an irreducible program. H 

It is worth noting that 

• composition of programs is modelled through the composition operator for stochastic 
relations, hence through Kleisli composition for the underlying monad; this is the basic 
mechanism which the other transformations start from, 

• once a natural transformation for each basic block in 0(W) is defined, the Kripke model 
proper is only needed to give the semantics for the atomic propositions in V . The 
transformations for irreducible programs j3\ U 0% and \J {fik\k G N) now rests on the 
shoulders of the transformations $ resp. 
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4.2 Defining a Model 

Now that the basic ingredients for defining a model are in place, we have to have a closer look 
at these components. It does not make sense to define a models with arbitrary transforma- 
tions, because it is clear that the transformations should satisfy some properties, monotonicity 
and compatibility among that. The latter property refers to the observation that nondeter- 
ministic choice and indefinite iteration are somewhat related (this is reflected in the rewrite 
rule (d*)), consequently we require their interpretations to cooperate along these lines. Some 
properties are captured in the definition below. 

Definition 4.6 Let $ : 9i R x 9\ R A 9K R and $ : (Dv^ A 9\ R be natural transformations. 

1. $ is called 

• associative, iff $(771, $(772, 773)) =$($(771,7/2),%) 

• commutative, iff $(771, 772) = $(772,771), 

• idempotent, iff $(771, 771) = 771, provided 771 is monotone (i.e., q i-> rji^il)^) is a 
monotone map for each A £ B(S)) 

for any 771, r/2, 7/3 : Jt R A 9\ R holds. 

2. ^ is called symmetric iff 

*(^((^,i)i£N )ieN ) = ^{^{(Vi,j)j&o)i& ) 

for each double indexed sequence {Vi,j){i,j)£N xM with rjij : *R R A 9{ R for all i,j € No 
holds. 

3. $ and $ are said to be compatible iff 

*(07i)ieNo) = ^(%,^((^+i)ieN )) 

holds for each sequence (ri^g^o with r/i : A *R R for each i G No- 

The properties of $ described in Definition 14.61 under [TJ make the set of all natural trans- 
formations 9\ R A *R R a commutative semigroup, if (771,7/2) is sent to $(771,772). They are 
modelled after union or intersection in the power set of a set. Property El deals with evalu- 
ating operator $: An infinite matrix of natural transformations may be evaluated first along 
its rows, producing a sequence of natural transformations again; evaluating this is assumed to 
be identical to evaluating the matrix first along the columns and then evaluating the results. 
Finally, property O says that $ may be evaluated stepwise through operator $ akin to an 
infinite sum, an infinite union, or an indefinite iteration. 

Lemma 4.7 The operators $ and ^ defined in Example \3.11\ resp. Example \3.12\ have these 
properties: 

a. $ is associative, commutative and idempotent, 

b. ^ is symmetric, 

c. $ and $ are compatible. 
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Proof 1. Properties m and [c] are fairly obvious. Let {Vi,j){i,j)&N xN () with rjij : 9\ R A 9\ R , 
put p { := (jiij)jeNo an d a j '■= (Vi,j)ieN - We now show that 

holds, where 

Mq) = **(pi)(?) 

B i (g) = * J i( < 7 i )(g) 

This will establish that operator VI/ is symmetric. 
2. Now fix g G £Kato,i and put for (a n ) n£ N € 9tatoi 

Z(a) := {(oj,j) | Vz G N : E ay < a;}, 

ieNo 

R(a) := {(dij) | Vj G N : E ay < aj}. 

ieNo 



Hence an infinite matrix of non negative numbers is in Z{a) iff for each row i the column 
sums are dominated by aj, similarly for i?(a) and the row sums. Note that 

E(E a ^) = E(E a ^) ( 6 ) 

«gN jeN j'eNo ieNo 

by Pringsheim's Theorem [21 V.31], because all terms are non-negative. 
3. Now 

s G %((^)i)(g) ^ 3a G Q (oo) (o)Vi G N 3(a 4J ) i G 9*ai£? (ai)Vj G N : s G (7) 

^ 3a G Q(°°)(a)36 G Z(o)V*, j G N : s G //,,.,!/';., ) (8) 

3x G Q (oo) (a)3y G fl(i)Vi, j G N : s G //,,..,(!.'/;., ) (9) 

^s6*4( B i)i)(9) ( 10 ) 
For, assume that a and b are given according to flSJ), then define Xj := X)ieNn ^m'i 2/ := ^> nence 

E x i ' = EE 6 m -EE 6 « - E ai ^ «■ 

j j i i j i 

This justifies the implication © =^ ©, similarly for the converse. H 

Call a natural transformation A : (9\ R Y A 9\ R monotone iff A((f]i)i^A is monotone, provided 
rji : 9\ R A 9^ is monotone for all i G J C No, see Definition 14.61 
We extend Kripke models now to models for PDL. 

Definition 4.8 A model 9JT = < 3?,\I / ) for PDL is composed of a Kripke model R and of 
two monotone transformations <E : *R R x Vi R A 9\ R and ^ : (9^)^° A *R R so that <I> is 
associative, commutative and idempotent, ^ is symmetric, and 3> and ^> are compatible. 
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When talking about a model, we always refer to a model in the sense of Definition 14. 8} 
unless otherwise specified. Hence we always have with a model a Kripke model and two 
transformations at our disposal. Define for model 971 the transformation Tgft(/3) : x 
9\ A %\ for irreducible programs /3 as at the end of Section 14.11 equations [3] through [5l see 
Proposition 14.51 

Lemma 4.9 Given an irreducible program fa the state space S of a Kripke model R, the map 
q i y Fyn^q, A) := (T^(P)) ^(q, A) is monotone for any fixed A G B(S). 

Proof This is established by induction on fa Assume first that f3 = q\\ . . . ; g n G Vtili). Then 

T<m,&{ei'i - ■ -iQn){q,A) = {s G S | K ei .„. en (s)(A) < q}, 

which is clearly a monotone function of q. If /3 = fa U fa, and monotonicity is established 
already for fa and fa, then Tyx(fa) and T<%i(fa) are monotone, thus §(T<xi(fa), Tf)ji(fa)) is 
monotone, from which the assertion for f3 follows. One argues similarly for j3 = \J ((3 n \n > 0), 
provided the claim holds for all f3 n . H 

We show now that Tg^ is invariant under the equivalence classes with respect to =, as far as 
irreducible programs are concerned. This step is necessary for ensuring that the interpretation 
of formulas is well defined. 

Proposition 4.10 Let /3i,/?2 be irreducible programs with f3\ = fa. Then T<xn(fa) = Tyjiifa)- 

Proof 1. It is enough to show that fa ~ fa implies T<jji(fa) = Tyn{fa)- Because no rewrite 
rules apply due to irreducibility, we may then conclude that 

= n {X{U) x Z(U)) C ker (r^) , 

from which the assertion follows. We will discuss the different cases in turn. 
2. The cases (idi) and (id r ) are covered by the observation that K e = I5, which in turn is 
the neutral element for Kleisli composition, case (ass s ) follows from associativity for Kleisli 
composition. Because <I> is associative and commutative, the cases (ass u ) resp. (comm) are 
covered as well. We infer from Lemma 14.91 and from idempotence of $ that Tgji(fa U fa) = 
F<m(fa)- Finally, the cases (disoo) and (transp) are covered through the compatibility of $ 
and ^ resp. the symmetry of H 

Now take a program ir G V(U) and consider fa, fa G @(ir) Hl(U). Then T<jji(fa) = T^x(fa). 
Sending Q(ir) fll(W) to T^ji((3), provided (3 G @(tt) n we obtain a well defined map 

(recall 9(tt) nl(W) ^ by Corollary E3} . 
Thus define 

J w (ir) := T m (fa, (11) 



with vr G V(U), provided (3 G G(vr) nl(W). 
Proposition 14.51 

5 The Logics 



This is defines a natural transformation, see 



We define the logic PDL as usual through modal operators which come from programs; 
because we investigate probabilistic aspects, we introduce a quantitative aspect by limiting 
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certain probabilities from above. The logic is negation free and does not have disjunction. 
This looks on first sight a bit restricting, but since we work in a Boolean algebra of sets we 
can express negation through complementation, hence we do not need a separate operator for 
it. Omission of disjunction, however, cannot be compensated; it turns out that disjunction 
is not really necessary in the arguments to follow, so Occam's Razor could be applied. It 
should also be noted that we do not include the test operator. While this operator expands 
the usability of the logic, it does not contribute to the structural questions which we are 
concerned with; this has been discussed in j9j Section 6.5]. 

We will first define PDL and its semantics, then we will take only the simple programs and the 
atomic expressions and define a Hennessy-Milner logic from it, much in the spirit of |14tl4ll6]. 
This type of logics has been investigated extensively, and it will be helpful to use its semantic 
properties for the investigation of PDL. Syntactically, we have in the Hennessy-Milner logic 
only basic blocks at our disposal, these basic blocks are important for expressing the semantics 
of programs in PDL, so that we will relate these constructs to each other. 
Finally we define expressivity — logical equivalence, bisimilarity, behavioral equivalence - 
for our models and relate them to each other. Bisimilarity will play a special role which partly 
will have to be delegated to the next section due to Standard Borel spaces being closed under 
the Souslin operation only in the finite case. The constructions to be undertaken will require 
some leg work for constructing the proper measurable spaces etc. 

5.1 PDL 

Given a set IA of primitive programs and a set V of atomic propositions, we define the formulas 
of logic \-{U, V) through this grammar 

if ::= T | p | ipi A ip% \ \jf\ q ^ 

with p G V an atomic proposition, n G V{U) a program and q G Diatom a rational number. 
Hence a formula is T as a formula which always holds, an atomic proposition, the conjunction 
of two formulas or a modal formula \}p\ q <p- The latter one is going to hold whenever formula 
ip holds with probability less than q G £Kato,i after executing program it. 
Define inductively for a given model 9JT = (.ft, with state space S and valuation V : S — >■ 
B(S) the extension or validity set [yjgji for formula (f through 



[T]on := S, (12) 

Man ■= V(p), (13) 

{<Pi A Lp 2 \m ■= {film n Man, (14) 

lM q ^U-=Jm^)(q)(Mm), (15) 



where the natural transformation J7an is defined in Equation (|lip . The validity relation |= is 
then defined through 

Wl,s\=ip <=^ s G {(pj m , 

consequently, 9K, s \= T holds by (fT2j) always, and 971, s \= p iff s G V(p) for the atomic 
proposition p G V by f)13[) . If Qi, ■ ■ ■ , g n G U, we infer from (|14p through the definition of J 
in particular 

Tl,s H lQ 1 ;...;Qn] q vi&K ev> .., en (s)(y} m )<q (16) 
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Although the logic is negation free, we are still able to state that formula (p does not hold 
in a state. Because we work in a cr-algebra, thus in particular in a Boolean algebra, we 
can state that formula ip does not hold in state s iff s G" Iflm, so that the set {s G S \ 
<p does not hold in s} is a measurable set, provided the extension of ip is measurable. 
We note for later use that the validity sets are measurable. This is so since we deal with 
natural transformations involving the Borel functor. 

Lemma 5.1 [</?]gjj G B(S) for a model 9JT over state space S and a PDL formula ip.-\ 

Example 5.2 Consider the transformations <1? from Example 13.111 and \& from Example l3.12i 
Expanding (TT5]) . we obtain 



[[7riU7T2l ff ¥>]£Dt = Ullbnlaj vj<m n [ L^l a2 <p\m I a u a 2 G «Rato,i , o x + a 2 < q}, (17) 
[br*Vkt = (J{ D IbHa^fel (^Wn C atato,i, for all n G N , ]T «„ < (?) . 

meNo n 

(18) 



Selecting nondeterministically one of the programs i\\ or 7T2, [L 7r i] ai vlfflt accounts for all 
states which are lead by executing ~k\ to a state in which ip holds with probability at most 
ai, similarly, [[ L 7r 2l Q2 vlart f° r ^i- Since we want to bound the probability from above by q, 
we require a\ + a 2 < This leads to Equation (fT7|) . 

Suppose that executing program 7r exactly n times results in a state in which <p holds with 
probability not exceeding a n , then executing tt a finite number of times (including not exe- 
cuting it at all) results in a member of [ipjgjt with probability at most ao + a% + . . . , which 
should be bounded above by q for the resulting state to be a state in which if holds with 
probability at least q. This leads to Eq. (Tl8j) . 

These specific interpretations were investigated more closely in [9]. <^> 

Define for each state s of a model 9JT the DJl-theory associated with s as the set of formulas 
which hold in that state, formally 



5.2 A simple Hennessy-Milner logic 

We define the negation free Hennessy-Milner logic M(U,V) through these formulas: 



with q G U a primitive program, q G £Kato,i a threshold value, and pSPan atomic proposi- 
tion. Thus each primitive program serves as a modal operator of arity 1 for the modal logic 



Considering g as an action as in labelled Markov transition systems, the intended interpreta- 
tion of formula (o)q<p holding in state s is that upon action g, i.e., upon executing program 
g G U, a state in which ip holds is reached with probability at least q, see, e.g. [HI HUB]. 



Th\_m^ (£DT, s) := {<p \ <p is a formula in L(U, V) and 9JT, s 



99 ::= T I p I ifi A ^ 2 | (e) g ¥> 



M{U,V). 
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Formally, we define for a Kripke model & = (S, (K e ) e& i(,V) and each formula tp of M(U,V) 
the validity sets \tp\& recursively through 



IT1 



S, 

V( P ), if per, 
Ms. n Ms, 

{s£S\K e {s)(M Si )>q} 



Vfl A (ft]* 
l(Q)q<P]A 

Define for state s and formula ip the relation |= through 



(19) 
(20) 
(21) 
(22) 



Equation (J22J) shows that is always a measurable set. A comparison with [•Jgjj shows that 
the definitions for T, for atomic propositions, and for the conjunction of formulas (|12| 13| 14p 
resp. (|19l 201 21 1) are identical. Because of the identity (fl~6|) . we see that for g G U and a 
formula <p which is both an M(U,V) and an L(U,V) formula the correspondence 



llQ\Mm = S\l(g) q (ph 



(23) 



holds. This observation can be refined. Define 

{seS\ K e (s)(A) > q}, 

I^(I^(-4 \ Ql,qi, ■ ■ ■ , Qn,q n ), Qn+l,q n +l) 
{seS\ K e {s)(A) < q}, 

J9Jl(J2Jt(^ I 01, gi, • • • , 0n, Qn), Qn+UQn+l)- 

for the measurable set A G B(S), g, Qi, . . . , g n , g n +i G U and q,qi, ■ ■ ■ q n , q n +i £ Dlafo,i. 
e.g., 

I,s(b]Ul01; , ?i,02,g2) = [(02)92 p]U 
Jatt(b]anl0i,gi,02,g2) = [L^2l„„ L0i~L Plan 



I.s 04 1 01, gi ,.. .,£>„+!, g n+ i) 

JiE(Aft?) 

Jot(^4 I 01, gi, . . . , g n+ i,q n+ i) 



Thus, 



for the atomic program p G V . 

Note that g h-> Jot(j4, 0, g) is monotonically increasing, and that I$(j4 | £>, g) = <S \ Jg<n(A | £, g) 
by Equation (|23j) . 

These quantities can be related for the probabilistic case. 
Lemma 5.3 Assume that K e (s)(S) = 1 for all states s G S, then 

Ir(A \g 1 ,q 1 ,... , g 2 -n,q2-n) = 

P|{ Jan (-4 [ 01, gi, 02, 1 - g2 + 1/fci, 03, g3, • • • , 

ftj-n, 1 - g2-n + 1/AvO I k\,...,k n G N} (24) 

and 

I^(^4 I 01, gi, . . . , 02-n+l, q%n+x) = 

J OT (-4 I 01, gi, 02, 1 - ?2 + lAl, 03, g3, • • • , 02-n, 1 ~ g2-n + 

02-n+l, g2-n+l) | h,... ,k n G N} (25) 
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Proof The proof proceeds by induction on n. If n = 0, then there is nothing to prove for 
Equation (|24p . and Equation (|25p boils down to 

| e, ?) = {*€ 5 | K e (s){A) >q} = S\{seS\ K e (s){A) <q} = S\ 3 m (A \ g, q). 

Now assume that Equation (|24p and (|25p are established for n. Put 

T ki,...,kn '■= S \ R ki,...,kn> 

Rki,...,K ■= 3<m( A I Qi,Qi, 02, 1 - 92 + l/fci, 

03, 93, • • • , 02-n, 1 - 92-n + V& ni 02-n+l, 92n+l); 

then 

I$(^4 | 0i, gi, . . . , 02-n+l) 92-n+l, 0, q) 

= IftCIftC-A I 01,91, • • • , 02-n+l, 92-n+l), 0, ?) 

( = } {s | K e (s)( n r, lr .. jfcn ) > ^} 

fei,...,fc„eN 

= S\ f| T kl _ kn )<q} 

fci,...,fc„GN 

= *\{«L inf M ^( S )(T fcl ,... iA; J<g} 
fci,...,fc n eN 

(p) 

= 5\{s|l- sup K e (s)(R kl ,...,k n ) < q} 

fci,...,fc„GN 

= {s | sup K e (s)(R klr .. )kn ) < 1 - 9} 
fci,...,fc n eN 

= f| {s\K e (s)(R kl _ kn )<l-q} 
fci,...,fc„eN 

P| {s I K e {s){R kl ^ kn ) < 1 - 9 + 
fci,...,fc„,fc n+ ieN 

= P| Jan(-Rfei,...,fc n , 0, 1 - 9 + 1/fcn+i)- 

fcl,...,fcn,fc„ + ieN 

This implies Equation (j24"j) for n + 1. The induction hypothesis is used in equality (*), and 
equality (a) uses u-additivity of the measure K e (s) for each s: this property is equivalent to 

K e (s)(p\ A n ) = inf K g (s)(A n ), 

whenever (A n ) ne ^ C is decreasing. Finally, equality (p) uses the assumption that the 

full space has probability one. 

To work on Equation (|25p for n + 1 , put 

^.....fcn+l := J OT(-4 I 01,91,02, 1 - 92 + 1/^1,03,93, • • • ,02-(n+l), 1 ~ 92-(n+l) + V^n+l), 
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then 

I$(^4 \g%,qi,..., 02-(n+l)>fe(n+l)> g, q) 

= I«(Ift(^4 | Qi, qi, ■■■ , to(n+l))Q2-(n+l)) I Q-> l) 

= I s I K Q (I M (A\ g 1; qi, . . . , g%( n +i)^Hn+i))) > q} 
= {s\K g ( f| V kl _ kn+1 )>q} 

k!,...,k n+1 eN 

= i s \, ^ N K e( v ki,...,k n+1 ) > q} 

fci,...,fc n+ iGN 

= p| {s\K g (V ku ..., kn+1 )>q} 

k!,...,k n+1 eN 

= f| S\{s\K e (V kl _ kn+1 )<q} 
fei,...,fe„ + ieN 

D S\J m (V klr .. )kn+1 \g,q) 

k!,...,k n+1 eN 

Equation (|25p for n+1 follows now. H 

This has as a consequence that the semantics of a large class of formulas in L(U, V) can be 
expressed through the semantics for M(U, "P)-formulas. 

Corollary 5.4 Assume that K g (s)(S) = 1 for all states s € S, and let p be an atomic 
formula. Then 

{{g2-n) q2 . n ■ ■ ■ (gi) qi ph 

= n IL02.nl i_ ?2 .„ + i /fcn U2-n-il ••• Leali-ga+i/fci lQi\ qi Pirn 
fci,...,fe„eN 

and 

[(^2-n+l) g2 .„+i • • • (Ol)qiPh 

= n S \ I L^-n+ll g2 . n+1 L02.nl l- g2 . n +l/fc„ L02-n-ll (?2 . n _ 1 • • • 
fci,...,fe„GN 

-92+i/fci L^il 9l Plan 

H 

Note that logic M(U,V) does not deal with the choice operator or with indefinite iteration 
— we do not even have disjunction in this logic after all. Hence we will not be able to interpret 
the semantics of these operators in L(U,V) through operators in M{U,V). 

Returning to the general discussion, define as above 

Thfj[(u,v)(^i s ) := I y is a formula in M(U,V) and s \= ip} 
the ^-theory associated with state s. 

It is not difficult to establish that validity is preserved under morphisms. 
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Proposition 5.5 Let &i and &2 be Kripke models, and f : &i —> &2 a morphism, then 

for each state s in Ri and each M(U ,V)- formula (p. 
Proof See, e.g., [6, Lemma 6.17]. H 

5.3 Expressivity 

Kripke models are traditionally related to each other in different ways, which are captured in 
the following definition. 

Definition 5.6 Let &i and &2 be Kripke models, then &\ and 8.2 are called 

1. behavior ally equivalent iff there exists a Kripke model &o and surjective morphisms 

h fa 
fi, h with £1 — > &o < — &2, 

2. HM-equivalent iff 

{Thwrii^^&i, s) I s is a state in &i} = {TfiMnjjj^fiz, t) \ t is a state in fi.2}, 

3. bisimilar iff there exists a Kripke model and surjective morphisms f\ , fi with 

The name HM- equivalence alludes to the Hennessy-Milner logic which gives the context of this 
discussion. Usually the term "logical equivalence" is used. We will define logical equivalence 
below for models, and we do not want these very closely related concepts to get confused. 
Thus ^1 and 8.2 are behavior ally equivalent iff we can find an intermediate Kripke model 
which permits comparing the validity of formulas through surjective morphisms; we need 
surjectivity here because we want to be able to trace back a state in the intermediate Kripke 
model to &\ and &2- Otherwise we could simply take the coproduct of the Kripke models, 
see Example 14.21 The models are bisimilar iff we can find a mediating model for them, and 
they are HM equivalent iff we can find for each state in &i another state in ^2 which satisfies 
exactly the same formulas, and vice versa. The reader is referred to [141 31 [6j [10] for an 
extensive discussion stressing different angles. 

Kripke models have been defined over the category of measurable spaces, the discussion of 
bisimilarity, however, requires some differentiation with respect to the base category for the 
state space. 

The following result is well known. 

Theorem 5.7 Let K± and ^2 be Kripke models, and consider these statements. 

a. ^1 and K2 are behaviorally equivalent. 

b. 8.1 and &2 are HM-equivalent. 

c. 8.1 and &2 are bisimilar. 
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Then the following holds: 

i. M <=GI -^QJ 

ii. If Mi and j^2 both are models over analytic spaces, and if both U and V are countable, 
then all three statements are equivalent. Moreover, if &i and &2 are Kripke models over 
Polish spaces, then in this case a mediating model over a Polish space may be constructed. 

Proof See [10\ Theorem 6.17] for 13 and models over Polish spaces in[n] The case of Kripke 
models over analytic spaces has first been discussed in [TTJ QJ . H 

Sanchez Perraf shows in [21] that the existence of a bisimulation is tied to analytic and, by 
implication, to Polish spaces. Hence an attempt to generalize part E3 of Theorem 15.71 to 
general measurable spaces is futile. 

Given a model 9Jt = (M, < 3?, 1 I / ), call .ft the Kripke model underlying 9Jt. Define for models 
Tli = i&i^,^) and WI2 = (&2,&,^) a model morphism f : Tli — > WI2 as a morphism 
/ : ^1 — > ^2 for the underlying Kripke models. Note that <1> and do not enter explicitly 
into this definition because they are natural transformations, hence by their very nature 
compatible with morphisms for Kripke models. 

Behavioral equivalence and bisimilarity can be described in terms of these morphisms: 

Definition 5.8 Models 9Jti and TI2 are behaviorally equivalent iff there exists a model 9JTo 

and surjective morphisms fi , /2 with Tli — > 9JTo < — ^2 • If 0, mediating model WI3 and 
surjective morphisms 51, 52 exist with DJli 9JT3 DJI2, then SPTi and TI2 are called 
bisimilar. 9Jti and 9Jt2 are logically equivalent iff 

{Th\_(u,7>)$Jti) s ) \ s is a state in Wli} = {Th\_(u t -p\(9Jl2, t) \ t is a state in 9JT2}. 

We obtain from Proposition 15.51 

Proposition 5.9 Let 9JTi and WI2 be models and f : 9Iti — > 9JT2 be a model morphism. Then 

fm li8 \=<p<=^fm2,f(s)^<p (26) 

for each state s ofdJti and each formula in L(U,V). 

Proof The statement is may be reformulated as [v]ani = / 1 [M2K2] • We argue by induction 
on ip. The equivalence in (I26p is true for <p = T and for atomic propositions by the definition 
of a morphism. If it is true for ipi and for if 21 then it is also true for <p\ A (p%. 
We do an induction on program tt in formula |_7r~| ip, assuming that the equivalence (I26j) holds 
for ip. If 7r = qi \ . . . ; Q n € 0,(11), the assertion follows from Lemma 13.91 for tt = tti U TT2 and 
for 7r = 7rJ the assertion follows from the fact that $ and ^ are natural transformations. H 

Because morphisms for models and for their underlying Kripke models are the same, we 
obtain immediately 

Corollary 5.10 Let 9Ki and TI2 be models with underlying Kripke models &i resp. 8.2, then 

a. 9Ki and 9^2 « r e behaviorally equivalent iff &i and &2 are behaviorally equivalent. 

b. 9Ki and 9JI2 « r e bisimilar iff 8.1 and &2 are bisimilar. H 

The construction of a model onto which logically equivalent models can be mapped requires 
some technical preparations, which we now turn to. 
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5.4 Factoring 

The factor construction for the investigation of logical equivalence follows basically [19] and [7, 
Section 2.6.2]; this construction cannot be used for the present purpose as it stands, because 
some small but not unimportant changes have to be made. Hence we construct factors fairly 
explicitly for the reader's convenience, pointing out differences as we go. 
Preparing for the construction, we recall the important 7r-A-Theorem from the theory of Borel 
sets Theorem 1.3.1]. 

Proposition 5.11 Let A be a family of subsets of a set X that is closed under finite inter- 
sections. Then o~{A) is the smallest family of subsets containing A which is closed under com- 
plementation and countable disjoint unions. In particular, if the measures f^i,^2 £ &(cr(A)) 
coincide on A, then they are equal on o~(A).~\ 

This yields a proof strategy for the identification of a-algebras in the construction to follow. 
It goes like this. In order to establish a property for all measurable sets, we will single out 
those sets for which the property holds and show that these sets form a generator which is 
closed under finite intersections. Then we will conclude through Proposition 15.111 that the 
property holds for each set in the cr-algebra. 

The following simple statement will be technically helpful as well. 

Lemma 5.12 Let f : M — >■ N be a map, and assume that A C M is f -invariant (i.e., a £ A, 
f{a) = f(a') together imply a' € A). Then / _1 [/ [A]] = A. If B is also f -invariant, then 
f[AnB] = f[A]nf[B]. H 

Fix a model 9Jt = (£, <£, for the moment. Define on the state space S of 9Jt the equivalence 
relation 

s ~ s' iff Th L{UtP) (m,s) = Th L( u !P) {m,s'). 

Thus s ~ s' iff the state s and s' satisfy exactly the same PDL formulas. Define on S the set 
£pdl of extensions of formulas through 

£pdl := {[Mian | </? is a PDL formula}. 

Note that <?pdl Q B(S) is closed under finite intersections, because the logic is closed under 
finite conjunctions. Make the factor space S/~ a measurable space by defining the cr-algebra 

B(S/~) := a({A C S/~ | V Z l [A] G W})- 

The a-algebra is generated by the images of the formulas' extensions: 

Lemma 5.13 The set A := {n^ [[</?]gjt] \ (f is a PDL formula] is a generator of B(S/~) 
which is closed under finite intersections. If there are countably many PDL-formulas, then 
B{S/^) is countably generated. 

Proof Each extension is ^-invariant by construction, the logic is closed under conjunctions, 
thus A is closed under finite intersections by Lemma 15.121 It follows also that J^Jgjt = 
nZ 1 [r/~ [[y]ott]] j thus A C B(S/~). Now, if rjZ 1 [A] 6 fpDL, then we find some PDL-formula 
(p with [(/jjgjt = r/Z 1 [A] , so that A = rj^ [[</?]mt] , because n^ is onto. This implies B(5/~) C 
a{A). 

Plainly, if there are countably many PDL-formulas, then A is countable. H 
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Corollary 5.14 rj^ : S — > S/~ is measurable. 

Proof Put V := {A G B(S/~) \ rfZ 1 [A] G B(S)}, then V is plainly closed under com- 
plementation and countable disjoint unions. We obtain from Lemma 15.11 and from \<^\jh = 
i]^ 1 [v~ [[vlaJt]] that rj^ [[(/j]«»t] G T> for each formula so it follows from Lemma 15.131 that 
T> = B(S/~), from which the assertion follows. H 

This observation permits the construction of a stochastic relation fc e : S*/~ ~~> S/~ for each 
q £L U. One first notes that s ~ s' implies K e (s) (\(p\m) = K g (s') (lyjart) for each PDL- 
formula (/?. In fact, if, say, if e (s)(|<^]gjt) < i^g(s')([(^]gjt), then we can find q rational with 
■KeOOflMlsw) < <7 < ^(sOCMart), so that 971, s |= L£~l 9 ¥>> but 97t,s' H= L^l g Vj contradicting 
s ~ s'. Consequently, s h-> -KgCsXIvlatt) is constant on each ~-class, so that 

k B ([sU(A) := KeWvZ 1 [A]) 

is well defined on 5/~ whenever ^4 € B(S/~). Is is clear that A; e ([s]^) € 6 so that 

measurability needs to be established. 



Proposition 5.15 k g : S'/~ ~» S/~ is a stochastic relation for each g £lA. 

Proof Put V := {Ae B(5/~) | w ^ fc e (s)(.A) is B(S/~)-measurable}. Then evidently V is 
closed under complementation and under countable disjoint unions. Moreover, rj^ [[v?]gjt] G *D 
for each formula by Lemma 15.131 Because 

{v | k e (v)(r,„ Mm}) < q} = 77- [[Lei,*! e B(5/~) 



we may apply Lemma 15.131 again, we see that T> = B(S/~). H 
Taking (p = T, we obtain in particular from the argument above that 

s ~ s' implies Vg £li : K g {s)(S) = K g {s'){S). 



(27) 



Now define the Kripke model 

*/~ : = (S/~,(k e ) eell ,V„) 

with := {r/~ [^(p)] [ P G V} as the valuations for the atomic propositions. It may be 
noted that the equivalence relation has been defined through a model, but that we define the 
Kripke model now on its classes. The following observation is immediate 

Lemma 5.16 rj^ : & — > is a morphism for Kripke models. H 

Define for the logically equivalent models 97ti and 9#2 with underlying Kripke models R\ and 
&2 over state spaces S\ resp. S2 the map k as follows. 

J S"i/~ — > 52/~ 

^ [ S 2L iff r/i L(Wi7J) (9Jli,si) = Th L{U)V) (%R 2 ,s 2 ) ■ 

On account of logical equivalence, k is a bijection, but we can say even more. 
Proposition 5.17 k : — >■ *s isomorphism. 



September 19, 2011 



Page 28 



Coalgebraic Interpretation of PDL 



Proof 1. We show first that k : <Si/~ — > S 2 /^ is measurable. In fact, let 

V := {A e B(5 2 /~) | k- 1 [A] € B(iSi/~)}, 

then is is by Proposition 15.111 and Lemma f5. 131 enough to show that r}~ [[v]an 2 ] ^ ^ f° r each 
PDL formula 93. This follows from 

k- 1 [[v?]aji 2 ]] = Mm] ■ 

This implies measurability, and the equation 

«[»7~ [NotJ] = *7~ [Man 2 ] • 

shows that k _1 is measurable as well. 
2. Observe that we have 

= h2,M~)(v~ [Mm a ]) 

for each g S W and si,S2 with k([si]^) = [s 2 ]^ and for each formula <p (we argue in Equa- 
tion (*) as in the proof of Corollary I5.14p . Because 

V := {A e B(S 2 /~) I k 2 , g ( K ([ Sl U)(A) = fci,,(M J^ 1 [A])} 

is by (|27p closed under complementation and countable disjoint unions, and since it con- 
tains all sets r]^ [[</?] sm 2 ] by the argument above it equals B(S 2 /~) by Lemma [5.121 and by 
Proposition 15.111 A very similar argument applies to « . H 

These constructions can be carried out in general measurable spaces and do not need the 
requirement of separability, which will enter the argument in a moment. 

5.5 Logical Equivalence 

This, then, is a characterization of logical vs. behavioral equivalence. 

Proposition 5.18 Let £DTi and Wl 2 be models, and consider these statements. 

a. SPTi and yjt 2 are behaviorally equivalent. 

b. SDTi and ^M 2 ore logically equivalent. 
Then 

i. m =>Q 

ii. If the set 14 of primitive programs andV of atomic propositions are countable, then\E =H~al 

Proof 1. Part 13 follows immediately from Proposition 15. 9| so part [nj remains to be estab- 
lished. 
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2. Let &i and ^2 be the Kripke models underlying Tl\ resp. DJl'2- Construct models 

and and the isomorphism k : — > &z/~ as in Proposition 15.171 then the state 

spaces of these models are separable according to Lemma 15.131 

Complete ^i/~ according to Proposition 13.61 then we have the morphisms 

£1 — ^ ! £2, 

because both ^1 and $2 are defined over complete spaces, again by Proposition 13.61 This is 
so because the factor map rj^ : S\ —¥ Si/~ is also a measurable map S± — > <S*i/~. Hence 
r/^ : ^1 — >■ ^i/~ extends to a morphism 77^ : ^1 — > A similar argument applies to &2- 

Now define 9Jt := then 77^ : 9JTi -)• 9Jt and kT x o 77^ : DJt 2 -> 9Jt are the 

desired morphisms. H 

6 Generalized Models 

The state space of a model is assumed to be a universally complete measurable space. We 
relax this a bit by introducing generalized models. This is necessary in order to get a firmer 
grip on state spaces that are Polish, as will be argued below. 

Definition 6.1 9T = is called an generalized model (g-model) iff & is a Kripke 

model over a general measurable space; the natural transformations $ : 9\ R x 9\ R A d\ R and 
$ : (m R f° A 9\ R have the same properties as in Definition \4.8\ A morphism 9Ti — > CH2 is a 
morphism for the underlying Kripke models &i —> 8.2 • 

Behavioral equivalence can be defined for g-models through morphisms exactly as in Defini- 
tion [521 It is, however, difficult to discuss logical equivalence, because the validity of formulas 
cannot be described without information about the measurable structure of the validity sets. 
This is so since K e : S ~» S might not be extendable to K e : S ~» S in general, i.e., without 
additional assumptions. 

Call a Kripke model separable iff its state space is countably generated, call accordingly an 
g-model separable iff the underlying Kripke model is separable. For 9T separable we can 
construct a model OT = ty) by completion, where & = (S, {K e ) e& u, V) is the completion 

of Kripke model K. Thus we may call separable g-models 9Ti and 9T2 logically equivalent iff 
their completions 91 1 and OT2 are logically equivalent. 

Assume that Kripke model & is separable. Then the inclusion .ft — >■ R is a morphism, hence 

Th M(u,v) (&, «) = Th w\(u,v) s) (28) 

for each state s of A by Proposition 15.51 This implies that two separable Kripke models are 
HM-equivalent iff their completions are HM-equivalent. 
We obtain 

Proposition 6.2 Let 9Ti and 9^2 be separable g-models with underlying Kripke models &\ 
and &2- Consider 

a. OTx and 9I2 are behaviorally equivalent. 

b. 9Ti and 9T2 are logically equivalent. 
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c. and £.2 o- re behaviorally equivalent. 

d. &\ and K2 o- re HM- equivalent. 

e. and are HM- equivalent. 
Then 

i. m <^Q3 <j=Q <=G3 

a. m =>T51 

Proof 1. The equivalence |cj -<=Q] ^Tel is the first part of Theorem 15.71 together with the 
observation ([28]) . the equivalence [HJ <=H~cl is trivial. This establishes part[B 
2. If / : 9Ii — > is a morphism for g-models, then / : 9Ti — > 9T2 is a model morphism by 
virtue of Proposition 13.61 Thus part ED follows from Proposition 15.91 H 

If we know that the separable g-models 9Ti and 9T2 are logically equivalent, and that both 
U and "P are countable, then we may conclude from part El of Proposition 15.181 that we can 
find a model and surjective morphisms 9Ti 2JT — ^> 912- Tracing the construction, we 
even know that model 9Jt is the completion of a separable g-model. But there is no reason 
to assume that the inverse images of the morphisms g\ and 52 map Borel sets to Borel sets 
(rather than Borel sets to universal Borel sets). 

Thus for the time being the question remains open whether logically equivalent models are 
behaviorally equivalent as well. 

The existence of a mediating model is dependent on topological assumptions, because — by 
the standard construction — a mediating model is constructed from a semi-pullback, the 
existence of which requires an analytic or a Standard Borel space. It is mandatory to discuss 
g-models in this case, because as a rule Standard Borel spaces are not complete, provided 
they are not countable. This can be seen as follows. Let X be an uncountable Standard Borel 
space, then there exists an analytic set A C X which is not a Borel set |20[ Theorem 4.1.5]. 
A can be obtained through the Souslin operation as 

a = u 

with a family {F v \ v € f2(N)} of closed sets by [201 Theorem 4.1.13]. If the measurable space 
X would be complete, it would be closed under the Souslin operation by [201 Proposition 
3.5.22], hence A would be a Borel set, contrary to the assumption. 

We need some preparations. Let S be a Standard Borel space. Call an equivalence relation 
~ on S countably generated (or smooth) iff there exists a sequence (-B n ,) n eN Q which 
defines the relation, i.e., 

s ~ s' <S=>- Vn G N : [s G B n «4> s' G B n ] . 

A set B C S is called ~-invariant iff B is the union of ~-classes, equivalently, iff b G B and 
b ~ b' together imply b' G B (hence B is ^-invariant, see Lemma l5.12p . Relation ~ defines 
a ex-algebra A~ C B(S) through its invariant Borel sets, i.e., 

A~ := a({B G B(S) \ B is ^-invariant}). 

This construction has been studied quite extensively in the context of stochastic relations. 
Vice versa, this cr-algebra determines the equivalence relation uniquely [7]: 
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Lemma 6.3 Let S be a Standard Borel space with smooth equivalence relations ~i and ~2- 
If A~ x = A~ 2 , then ~x=— 2- H 

Fix a model Wl with underlying Kripke model and assume that both U and V are countable. 
Consider these sets of formulas: 

x ■= {\.Qi\ qi ■ ■ ■ len] qn P \ P £T> , Qx, . . . , Q n <EU,qx, . . . ,q n e 9tato,i,n G N} 
Y ■■= {(gi) qi ■ ■ ■ {Q n )q n p I p e V,qi,. ..,e„e . . ,<?„ g SHato,i,n g N} 
Z := {99 I 99 is a L(W, 'P)-formula} 

The sets X and Y are countable, since U and are. The formulas helping to define X could 
be called the single-step formulas in L(U,V): execute simple program Q n , check whether its 
result on atomic sentence p is below q n , then execute simple program g n -\ on the correspond- 
ing states, check whether the result is below q n -\ etc. Let ~x be the equivalence relations 
generated by the validity sets {[95] an | 92 G X} with cr-algebras Ax of invariant sets, similarly 
for ~y with Ay and for ~^ with Az- 

This observation is obvious, because all formulas from Z are generated from the formulas 
from Y by finitary operations. 

Lemma 6.4 Ay = Az- H 

Throughout the rest of the paper, we make in view of Lemma 15.31 the assumption that all 
Kripke models (S, (K Q ) Qe u),V) are strictly probabilistic, i.e., that 



holds. 

Lemma 6.5 Ax = Ay. 

Proof We infer from Corollary 15.41 that [^]^ is expressible through sets from Ax for each 
ip G Y, thus Ax = Ay. Starting from Equation (l23l) . a similar representation of {(p}<m for 
ip G X through sets from Ay, yielding the other inclusion. H 
This has as an immediate consequence 

Corollary 6.6 These statements are equivalent for states s,s' in an g-model 91 with under- 
lying Kripke model 

a. OT, s \= 92 4=> 9t, s' \= ip for all single-step formulas ip, i.e., all M(U ,V)- formulas 9? of the 
shape Iq{] Qi ■ ■ ■ \_Qn~\ qn P with g 1 , . . . , g n G U, qx, - - - , q n G 9tato,i, n G N and p G V. 

b. .ft, s \= ip 4=> s' \= tp for all \-(U, V)-formulas ip. 
Proof Lemma 16.51 Lemma 16.41 and Lemma 16.31 H 

Given g-models 9Ti and 9I2 with underlying Kripke models #1 and $2 over state spaces S\ 
resp. 52, construct the g-model 9Ti ©OT2 := ©-&2 5 see Example 14.21 with embeddings 

is 1 and is 2 - It is not difficult to see that S\ + S2 is a Standard Borel space, provided S\ and 

52 are, that 5i + 52 = 5i + 52, and, because 9Ii -% 9Zi © 9^2 — ^2 are morphisms, 



G WVs G 5 : K B (a)(S) = 1 



(29) 



Oli, si Hv^^iffi^a.iSi^i) 



^2,S 2 ^^S f tl®9 f t2,«S 2 (s2) 
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for all M(U, ^-formulas <p. 

We finally obtain for generalized models 

Proposition 6.7 Let 9Ti and 9T2 be generalized models with Standard Borel state spaces, and 
assume that both IA and V are countable. These statements are equivalent. 

a. 9ti and 9I2 ar s logically equivalent. 

b. 9Ii and 0^2 are behaviorally equivalent. 

c. yii and CI2 are bisimilar. 

Proof 0. Because Standard Borel spaces are based on Polish spaces which in turn have a 
countable base for their topology, the g-models under consideration are countably based. 
1. |b] =>Q3 Assume that OTi and 9t2 are logically equivalent. Let &l and ^2 be the underlying 
Kripke models with state spaces S\ and £2 an d valuations V\ resp. Vi- We claim that 
and ^2 are HM-equivalent. Given s € S\ there exists s' € 5*2 with Th M ^ ^(OTi, s) = 
Th M ( UiV )(yi 2 ,s') so that 

orl, s H <P & %h, s' \= V 

holds for all M(W, 'P)-formulas (/?, thus 

9Tie9T2, is! (s)N^ 9TieOT 2 , *s 2 (s') (= p. 

This holds in particular for all formulas of the syntactic shape given in part [a] of Corollarv l6.6l 
from which we infer that 

holds for all L(£/, 7 3 )-formulas ip, thus 

is inferred for all L(£/, 'P)-formulas Hence ^1 and ^2 are HM-equivalent by Proposition E21 
so that 9ti and 9t2 are bisimilar by Corollary 15.101 H 

7 Conclusion and Further Work 

We investigate propositional dynamic logics (PDL) with a view towards a coalgebraic interpre- 
tation. This logic is technically a bit more challenging than the usual modal logics because its 
modalities do not always correspond to the interpreting relations in a Kripke model. Hence 
these relations have to be provided, which is straightforward for non-deterministic Kripke 
models, but turns out to be somewhat involved in the case of their stochastic counterpart. 
This is so since there are no natural counterparts to the program constructs in the set of 
stochastic relations. We observe also that interpreting PDL makes some informal assump- 
tions on the programs' semantics like associativity over the basic operations or some sort of 
distributivity of program composition and the nondeterministic choice. 

In order to prepare the ground for a coalgebraic interpretation we have a closer look at the 
programs; they are perceived as elements of a term algebra, the primitive terms being taken 
from a set of primitive programs. The informal semantics is translated into a set of rewrite 
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rules and equations; it turns out that we have to adjust the term algebra a bit when looking at 
the indefinite iteration of a program. Each program is shown to correspond to an irreducible 
one, unique up to the congruence made up from the rewriting rules and the equations. This 
irreducible program can easily be interpreted in a coalgebra, because we have eliminated the 
crucial indefinite iteration and replaced it by an operation which is easier to handle (but there 
is no free lunch: we pay the price for this by an operation of infinite arity). 
We specialize the coalgebraic discussion for most of the paper to coalgebras related to the 
subprobability functor. They are discussed and brought into the interpretation. This is 
followed by the investigation of the expressivity of the corresponding models. Due to some 
measure-theoretic observations we have to discuss these questions with a distinct look for the 
details, i.e., for the particulars of the underlying state spaces. It turns out to be helpful to 
complete a model and to study the interplay of completion and expressivity. 
Further work will include applying the present approach to game logics as proposed by 
Parikh |16j . see also [17] . A first step towards a coalgebraic interpretation can be found 
in [8], where in particular the notions of bisimilarity from [16\ 117] has been related to the one 
studied in coalgebras [T5] . 

While the present approach deals mainly with stochastic relations and the corresponding 
predicate liftings, the use of term rewriting can certainly be applied for defining the coalgebraic 
semantics of dynamic logics for other functors. 
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